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Abstract 

We consider games played on an infinite probabilistic arena where the 
first player aims at satisfying generalized Biichi objectives almost surely, 
i.e., with probability one. We provide a fixpoint characterization of the 
winning sets and associated winning strategies in the case where the arena 
is decisive. From this we directly deduce the decidability of these games 
on probabilistic lossy channel systems. 



1 Introduction 

2-player stochastic games are games where two players, Alice and Bob, interact 
in a probabilistic environment. Given an objective formalized, e.g., as an uj- 
regular condition, the goal for Alice is to maximize the probability to fulfill 
the condition, against any behaviour of her opponent. Qualitative questions 
ask whether Alice can win almost-surely (resp. positively) from a given initial 
configuration. Solving a stochastic game then amounts to deciding the latter 
question, as well as providing winning strategies for the players. In the case 
where the arena is finite, the literature offers several general results on the 
existence of optimal strategies, the determinacy of the games, and algorithmic 
methods for computing solutions, when the objectives range in complexity from 
simple reachability objectives to arbitrary Borel objectives [551 1221 |2"T] . 

For infinite arenas, general results are scarce and mostly concern purely 
mathematical, non-algorithmical, aspects, such as determinacy [28] . An obvi- 
ous explanation for the lack of algorithmical results is that already solving a 
Biichi game with a single player and no stochastic aspects on the configurations 
of a Turing machine (a very regular arena) is a Ej-complete, hence "highly 
undecidable" , problem. 

Decidability can be regained for infinite arenas if it is known that they are 
generated in some specific way. In the field of algorithmic verification, the 
stochastic games with infinite arenas originate from classical infinite-state mod- 
els. Prominent examples with positive results are stochastic games on systems 
with recursion [231 H] > on one-counter automata [TH1 HZ] > and on lossy channel 
systems [Hill]. In all these examples, the description of winning sets and winning 
strategies is specific to the underlying infinite-state model, and rely on ad-hoc 
techniques. 

In this paper we follow a more generic approach, and study stochastic games 
on infinite arenas for which we only assume decisiveness which roughly means 
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that almost surely, if a set of configurations is always reachable, then it will be 
eventually visited. 

Our contributions. Our first contribution is a simple fixpoint characteriza- 
tion of the winning sets and associated winning strategies for generalized Biichi 
objectives with probability one. The characterization is not concerned with 
computability and applies to any countable decisive arena. Using //-calculus 
notation to define, and reason about, the winning sets and winning strategies 
makes the correctness proof rather direct: it is possible to give a fully detailed 
correctness proof in under three pages. 

Our second contribution is an application of the above characterization to 
prove the computability of winning sets (for generalized Biichi objectives) in 
arenas generated by probabilistic lossy channel systems (PLCS). Rather than 
using ad-hoc reasoning, we just need to follow the approach advocated in [8 
and use a generic finite-time convergence theorem for well-structured transition 
systems (more generally: for fixpoints over the powersets of WQO's). This al- 
lows us to infer the computability and the regularity of the winning sets directly 
from the fact that the fixpoint characterization uses "upward-guarded" fixpoint 
terms on regularity-preserving operators. The method easily accommodates ar- 
bitrary regular arena partition, PLCS extended with regular guards, and other 
kinds of unreliability. 

Related work on lossy channel systems. An early positive result for 
stochastic games on probabilistic lossy channel systems is the decidability of 
single-player reachability or Biichi games with probability one (dually, safety or 
co-Biichi with positive probability) [5]. Then [2] proved the determinacy and 
decidability of two-player stochastic games on PLCS for (single) Biichi objec- 
tives with probability one. On PLCS, these positive results cannot be extended 
much — in particular to parity objectives — since Biichi games with positive 
probability are undecidable, already in the case of a single player [5]. Attempts 
to extend the decidability beyond (generalized) Biichi must thus abandon some 
generality in other dimensions, e.g., by restricting to finite-memory strategies, 
as in the one-player case [5]. 

Outline of the paper. Section [2] introduces the necessary concepts and nota- 
tions on turn-based stochastic games. Section [3] provides the characterization of 
winning configurations in the general case of decisive arenas. Section 3] focuses 
on stochastic games on lossy channel systems and explains how decidability is 
obtained. 

2 Stochastic games on decisive arenas 

We consider general 2-player stochastic turn-based games on countable arenas. 
In such games, the two players choose moves in turns and the outcome of their 
choice is probabilistic. 

Definition 2.1. A turn-based stochastic arena is a tuple Q = (Conf, Moves, P) 
such that Conf is a countable set of configurations partitioned into Conf A U 
C'onf B , Moves is a finite set of moves, and P : Conf x Moves — > Dist(Conf) is 
a partial function whose values are probabilistic distribution of configurations. 
We say that move m is enabled in configuration c when P(c, m) is defined. 
Q is eternal (also deadlock-free,) if for all c there is some enabled m. 
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The set of possible configurations Conf of the game is partitioned into 
configurations "owned" by each of the players: in some c € Conf A , player 
A, or "Alice", chooses the next move, while if c £ Conf B , it is player B, 
"Bob", who chooses. It is useful to consider informally that, beyond Alice 
and Bob, there is a third party called "the environment" who is responsi- 
ble for the probabilistic behaviors. This is why the game is stochastic: after 
each move m of one of the players, the environment chooses the next con- 
figuration probabilistically according to P(c, m). For a configuration c, when 
move m £ Moves is selected, we write Post[m](c) for the set of possible con- 
figurations from c after m: Post[m](c) = f {c' £ Conf | P(c, m)(c!) > 0}, 
and, symmetrically, Pre[m](c) denotes the set of possible predecessors by m: 

Pre[m](c) d = {d £ Conf | P(c',m)(c) > 0}. 

Runs and strategies. For simplification purposes, and without any real loss 
of generality, we assume in the rest of this paper that all arenas are eternal, aka 
deadlock- free. A run of Q is a (non-empty) sequence p £ Conf* L) Conf u , finite or 
infinite, of configurations. A strategy for player A resolves all non-deterministic 
choices in Conf A by mapping every run ending in an ^-configuration (i.e., a 
configuration c £ Conf A ) to a move enabled in c. Formally, a strategy cr for 
A is a mapping a : Conf* Conf A — > Moves such that for every history run 
p = cqCi ■ ■ ■ c n with c„ 6 Conf A , a{p) £ Moves is enabled in c n . Symmetrically, 
a strategy for player B is a mapping r : Conf * Conf B — > Moves which assigns 
an enabled move with each history run ending in Conf B . The pair of strategies 
(cr, t) is called a strategy profile. Note that in this paper we restrict to pure, also 
called deterministic, strategies. Allowing for randomization would not change 
the winning configurations 20J. 

Not all runs agree with a given strategy profile. We say that a finite or 
infinite run p = cqC\ ■ ■ ■ c n ■ ■ ■ is compatible with (cr, r) if for every prefix pi = 
Co • • • Ci of p, Ci £ Conf A implies P(ci, cr(p,))(ci+i) > 0, and Ci £ Conf B implies 

P{c i ,T(p i ))(c i+1 ) > 0. 

Semantics. The behavior of Q under strategy profile (cr, r) is described by 
an infinite-state Markov chain Q a ^ T where the states are finite runs compatible 
with (cr, t), and where there is a transition from pi to Pi+\ = Pi ■ Q + i with 
probability P(a, a(pi))(c i+ i) if c l £ Conf A , and P(cj, r(pi))(c i+ i) if c l £ Conf B . 
Standardly — see, e.g., [31] for details — with the Markov chain Q aT and a 
starting configuration cq, is associated a probability measure on the set of runs 
of Q starting with cq and where behaviors are ruled by (cr, r) . 

It is well-known that given (p an LTL formula where atomic propositions 
are arbitrary sets of configurations, the set of runs that satisfy ip is measurable. 
Below we write P CTjT (co |= ip) for the measure of runs of Q a ,T that start with Co 
and satisfy 99, and use the standard "□" , "0" and "O" symbols for linear-time 
modalities "always", "eventually" and "next". 

Objectives. Given a stochastic arena G, the objective of the game describes 
the goal Alice aims at achieving. In this paper we consider generalized Buchi 
objectives. Let . . . , R r C Conf be r sets of configurations, with an associ- 
ated generalized Buchi property (p — A[=i 0()Ri. We consider the game on Q 
where Alice's objective is to satisfy ip with probability one. 

We say that a strategy a for Alice is almost- surely winning from Co for 
objective ip if for every strategy r for Bob, P CT . T (co \= (p) = 1. In this case, we say 
that configuration cq is winning (for Alice) . The set of winning configurations 
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is denoted: (A) -1 ^. 

Decisiveness. In this paper, we focus on a subclass of stochastic arenas, 
namely those that are decisive, following a terminology introduced for Markov 
chains in 

Definition 2.2. A Markov chain is decisive if for every subset U of states and 
every initial state s, P(s (= d()U V ()-<Pre*(U)) = 1 — where Pre*(U) denotes 
the set of configurations from which there is a non-zero probability of reaching 
U in the chain — . 

An arena Q is decisive if for every strategy profile (a, t), the Markov chain Q G ^ r 
is decisive. 

Assuming Q is decisive, the definition rewrites: for every U C Conf , for 
every initial configurations cq and for every strategy profile (cr, r) 

P ct , t (cq h OOU V <HP< r ([/)) = 1 , (1) 

where ->Pre* T (£7) denotes the set of configurations that can no longer reach U 

in G a ,T, formally c € Pre* a T (U) P CT , r (c |= ()U) > 0. Examples of decisive 
arenas are coarse arenas (when there is some global lower-bound p > such 
that P(c, m)(c') > implies P(c, ra){d) > p) and arenas with a finite attractor 
(when there exists is a finite set F C Conf which is visited infinitely often almost 
surely) [1] [7] ■ We want to stress that we do not require our infinite arenas to 
be coarse or even finitely-branching (when Post[m](c) is finite for every c and 
m). We observe that the characterization of winning sets we provide in the next 
section is not valid for general countable arenas (a counterexample with only 1 
player can be obtained, e.g., from the system built in pQ). 

3 Solving generalized Biichi games 

In this section we provide a simple fixpoint characterization of the set of win- 
ning configurations (and of the associated winning strategy) for games with 
a generalized Biichi objective that should be satisfied almost-surely. For this 
characterization and its proof of correctness, we use terms with fixpoints com- 
bining functions and constants over the complete lattice 2 Con ' of all sets of 
configurations. 

3.1 A /i-calculus for fixpoint terms 

We assume familiarity with /i-calculus notation and only recall the basic con- 
cepts and notations we use below. The reader is referred to 115] for more 
details. 

The set of subsets of configurations with the inclusion, (2 Con f , C), is a com- 
plete Boolean lattice. We consider monotonic operators, i.e., n-ary mappings 
/ . (2 Con f) n -► {2 Con f) such that f{U x , ...,U n )C f(V u . . . , V n ) when U t C V t 
for all i = 1, . . . , n. (A constant U C Conf is a 0-ary monotonic operator.) 
Formally, the language L M = {ip, ip,...} of terms with fixpoints is given by the 
following abstract grammar 

ip ::= f(if!, . ..,(f n ) | X | nX.tp | vX.cp 
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where / is any n-ary monotonic operator and X is any variable. Terms /xX.tp 
and vX.ip are least and greatest fixpoint expressions. 

The complementation operator defined with —U— Conf \U, may be used 
when writing down terms as long as any bound variable is under the scope 
of an even number of negations. Such terms can be rewritten in positive forms 

by using the dual f of any /, defined with f(U%, . . . , U n ) = — ■/(— 'ZTi , . . . , ->U n ). 
Note that / is monotonic since / is. 

The semantics of terms is as expected (see [HI US])- Since we only use 
monotonic operators in our fixpoint terms, all the terms have a well-defined 
interpretation as a subset of Conf for closed terms, and more generally as a 
monotonic n-ary mapping over 2 n ' for terms with n-free variables. We sligthly 
abuse notation, letting e.g. tp(Xi, . . . , X n ) denote both a term in and its 
denotation as an n-ary monotonic operator. Similarly, tp(ipi, ■ ■ ■ , ipn) is the 
term obtained by substituting ipi, . . . ,tp n £ L M for the (free occurrences of) 
the Xj's in tp, but when Ui,. . . , U n C Conf are constants, f{U\, . . . , U n ) also 
denotes the application of the operator defined by ip over the C/j's. 

When reasoning on fixpoint terms, one often uses unfoldings, i.e., the fol- 
lowing equalities that just state that a least or greatest fixpoint is indeed a 
fixpoint: 

liX.<p(X, ...) = <p(jiX.<p(X, ...),...), vX.<p(X, ...)= y{vX.<p{X, ...),...). 

Recall that the least (or greatest) fixpoint is the least pre-fixpoint (greatest 
post-fixpoint): 

<p(U) C U implies fiX.ip(X) C U , cp(U) D U implies uX.<p(X) D U . 

It is well-known (Kleene's fixpoint theorem) that when monotonic operators 
are [j- and f|-continuous, —i.e., satisfy f{{j l U l ) = {j l f{U l ) and Ui) = 
Hi f(Ui) — , their least and greatest fixpoints are obtained as the limits of u>- 
lcngth sequences of approximants. We do not assume |~| / IJ-continuity in our 
setting (e.g., Pre is not Q-continuous when finite-branching is not required) 
and fixpoints are obtained as the stationary limits of transfinite ordinal-indexed 
sequences of approximants (see [IS]): for a set U = fiX.(p(X) defined as a least 

fixpoint, the approximants {U a ) a ^ord are defined inductively with Uq = 0, 

Up+i == (fi(Up) for a successor ordinal, and U\ == U^<a Up for a limit ordinal 

A. For a greatest fixpoint V — vX.ip(X), they are given by Vq = Conf, Vp+i = f 

ip(Vp) and V x = f n/3<A Vp. 

3.2 Characterization of winning configurations 

We first introduce auxiliary operators that let us reason about strategies and 
characterize the winning sets. Let Enabled(c) C Moves denote the set of moves 
enabled in configuration c and for I,yc Conf let 

Pre 3 (X, Y) d = {c e Conf \ 3m e Enabled(c), Post[m](c) C X and Post[m]{c) n Y ^ 0} , 
Pre^iX, Y) d ^ f {c e Conf \ Vm G Enabled(c), Post[m](c) C X and Pos^[m]( c ) H F ^ 0} . 

It is clear that Pre 3 and Pre 1 are monotonic in both arguments if we^reformulate 
them in terms of the more familiar Pre operator (recall that c £ Pre [to] (0) iff 
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to is not enabled in c): 

Pre^(X, Y) = [j[Pre[m](X) n Pre[m](Y)] , 

jTiG Moves 

Pre v pf,Y~) = P| (Pre [to] (0) U [Pre [to] (X) n Pre[m](F)]) . 

rnG Moves 

We further define Pref {X, Y) d = ( Conf A n Pre 3 (X, F)) U ( Conf B n Pre v (X, F)) . 
In other words, Pre®(X, F) is exactly the set from where Alice can guarantee 
in one step to have X surely and Y with positive probability. This can be 
summarized as: 

Fact 3.1. LetX,Y C Conf . 

• If c G Pref(X, Y), then, A has a memoryless strategy a such that, for 
every strategy r for B: P CT , r (c |= O^Q = 1, and P CT , T (c |= QY) > 0. 

• If c ^ Pre®(X, Y), then, B has a memoryless strategy r such that, for 
every strategy a for A: P -, T (c |= O^) < 1, °r Pa,r(c h O^) = 0. 

We introduce auxiliary (unary) operators: for i = 1, . . . , r, i?j is given by 

Hi (X) d = ^Z. A n Prej 3 (X, Pi U . (2) 

The intuition is that, from Hi(X), Alice has a strategy ensuring a positive proba- 
bility of reaching Pj later — which would be characterized by 11 ^Z. Pre® ( Conf , PjU 
Zj" — all the while staying surely in X, hence the amendments. See Lemma l3.6l 
for a precise statement. Unfolding its definition, we see that Hi(X) C X, i.e., 
Hi is contractive. 

Letting Hi <r (X) = f f]l—i Hi(X), we finally define the following fixpoint 
terms: 

r r 

W d = vX.Hx, r {X) = vX. P| Hi(X) = vX, f] \jiZ.X n Pref(X, R t \J Z 

i=i t=i 

r 

W d = vX.Pref (H hr (X), Conf^j = vX.Pref \jiZ.X n Prej 5 (X, JJ.UZ) , Cora/ 

t=i 

Wi d = vX.^Z.Pref (X, R X UZ). 

Theorem 3.2 (Fixpoint characterization of winning sets). For generalized Biichi 
objectives on decisive arenas, the winning set (A)~ /\[ =1 DOPi coincides with 
W. Moreover W — W and from W Alice has an almost-surely winning finite 
memory strategy o~w ■ 

In the case r = 1 of simple Biichi objectives the winning set (A)~ 1 n<>R 1 coin- 
cides with W\ and the winning strategy aw is a memoryless strategy. 

Let us first explain how, in the case where r = 1, one derives the correctness 
of W\ from the correctness of W. Setting r — 1 in W yields (A)~ 1 D()Ri = 
vX.Hi{X) = vX.fiZ.XnPref(X, R X \JZ). In this situation, we can use Eq. 
a purely algebraic and lattice-theoretical equality that holds for any monotonic 
binary / (see Appendix for a proof): 

vX.fiZ.X n f{X, Z) = uX.(j,Z.f(X, Z) . (f) 
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Applying to uX.Hi(X) with Eq. © yields vX.H x {X) = vX.^Z.Pref(X,Ri U 
Z), which is just W\. 

Theorem 13.21 provides two different characterizations of the winning set 
(A) _1 (/\[ =1 nOi?i)- Let us now prove its validity, in the general context of 
decisive stochastic arenas. The proof is divided in two parts: correctness of 
W' in Proposition 13.51 completeness of W in Proposition 13.71 and some purely 
algebraic reasoning closing the loop in Lemma 13.81 

3.3 Correctness for W 

We prove that W only contains winning configurations for Alice by exhibiting a 
strategy with which she ensures almost surely /\- D{)i?i when starting from some 
c G W . We first define r strategies (<7i)i<i< r , one for each goal set Ri, . . . , R ri 
and prove their relevant properties. It will then be easy to combine the er,;'s in 
order to produce the required strategy. 

For i = 1, . . . , r, observe that H t (W) = W'n Pref{W\ R t U H t {W')). We 
let Gi be the memoryless A-strategy defined as follows: for c G Conf A n Hi(W'), 
Alice picks an enabled move m such that Post(c)[m] C W' and Post[m](c) D 
(RiUHi(W)) jt= 0, which is possible by definition of Pre®, while for c G Conf A (l 
W n ^-ffi(W'), Alice picks an enabled move to with Posi(c)[m] C Hi r (W'), 
which is possible since W = Pref(Hi >r (W), Conf). 

Hi r is contractive since the Hi's are, hence Hi^ r (W) C W' and we deduce 

Vce W : Vt : P CT ,, T (c |= UW') = 1 . (3) 

Lemma 3.3. For o/Z c € W' i/iere exists some 7 C > suc/i </ia< P crijT (c ^ 
O-Ri) > 7c /or B- strategies r. 

Proof. Consider first c € flj(W). Writing (Z Cf ) cte ord for the approximants of 
Hi(W), we prove, by induction on a, that j c > exists when c G Z Q . The 
base case a = holds vacuously since = 0. For a — A (a limit ordinal), 
Z\ = [Jp < \ Zp so each c G Z\ is in some ^ and the induction hypothesis 
applies. 

Now to the successor case a = (3 + 1. Here Z Q = W' H Prej 5 (V^', R t U 
and, given o~i and for any r, from c G Z Q Alice or Bob will pick a move 
to with Post[m](c) n U Zp) ^ 0. The probability that after probabilistic 
environment's move the play will be in Ri exactly at the next step is precisely 
7 = J2deR. z P(c,m)(d) and 7 > if Post[m](c) n Ri ^ (and only then). If 
7 = then Post[m]{c) n i?i = so that Post[m](c) n ^ 0. Then there is a 
positive probability 7' = X)de2 3 P(c, to)(o!) that after probabilistic decision the 
play will be in Zp at the next step, hence (by induction hypothesis) a positive 
probability 7" that it will be in Ri later, with 7" > J2dez,j Id • P(c, m)(d). Here 
7 and the lower bound for 7" depend on t, or more precisely on what move m is 
chosen by Bob if c G Conf B . However, and since there are finitely many moves 
in Moves, we can pick a strictly positive value that is a lower bound for all the 
corresponding max(7, 7"), proving the existence of j c > for c G Z a . 

There remains the case where c G W fl ->Hi(W'): here Ui ensures that the 

play will be in Hi(W') in the next step, and we can take 7 C = min„ ie Moves{P(c, m){d)- 
jd I P(c, m)(d) > and d G This definition ensures 7 C > 0, which 

concludes the proof. □ 
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Lemma 3.4. P CTs , T (c |= UW A DOP*) = 1 for all ceW and all B-strategies 

T. 



Proof. This is where we use that Q is decisive. Let c € W and r be any strategy 
for Bob. Eq. (|T|) applied to set Pi, initial configuration c, and strategy profile 
{(Jut) gives: 

P CTi , r (c h OOiZj V 0^Pre* tT {Ri)) = 1. 

Using Eq. ©, we deduce P CT! , r (c |= UW A (DOP* V 0-Pre* T (Pi))) = 1. 
Observe now that W C Pre* T (Ri), thanks to Lemma \'S. 31 As a consequence, 
P CT4 , T (c |= CW' A 0^Pre* aT (R t )) = 0, so that we conclude P CT ,, T (c |= UW A 

□OP*) = l. □ 

Proposition 3.5 (Correctness of W). W C (A) =1 (A- = i OOPi). 

Proof. By combining the strategies ct,'s, we define a finite-memory strategy aw 
that guarantees P CTW)T (c |= /\ i DOPi) = 1 for any c € W and against any 
P-strategy r. 

More precisely, aw has r modes: 1, 2, . . . , r. In mode i, aw behaves like cr, 
until Ri is reached, which is bound to eventually happen with probability 1 by 
Lemma [3.41 Note that the play remains constantly in W' . Once Ri has been 
reached, aw switches to mode i + l(mod r), playing at least one move. This is 
repeated in a neverending cycle, ensuring U()Rj with probability 1. □ 



3.4 Completeness of W 

In order to prove that W contains the winning set for Alice, we show that 
(A) _1 f\ { DO Pi is a post-fixpoint of Pi. r , thus necessarily included in its greatest 
fixpoint W. 

Lemma 3.6. H t (X) D {c | 3a Vr, P (TT (c |= UX) = 1 and P CTT (c |= O0P 4 ) > 
0}. 

Proof. We actually prove a stronger claim: we show that there exists a memo- 
ryless strategy r for Bob such that for every c Hi(X) and every strategy cr 
for Alice, either P CT>T (c |= 0-A) > 0, or P CT>T (c |= OU^R t ) = !• 

Let c g ffi(x). ' By definition ->Hi(X) '= ^X U -Pref (X,Ri U H t (X)). If 
c ^ X, then trivially P<t !T (c |= (}—iX) > for any (cr, r) so we do not care how r 
is defined here. Consider now c <^ Pre®(X, Ri L)Hi(X)). By Fact 13. 11 Bob has a 
(memoryless) strategy t c such that against any strategy a for Alice, P ct .t c (c (= 
O^) < 1 or P CT , rc (c |= 0(-R» U Pi(A))) = 0, which can be reformulated as 
IV c (c h= O*) > or P ff , Tc (c |= OhRi n -Pi(^))) = 1. For c G Con/ B , 
we define r(c) as the move given by r c (c). The resulting strategy r guarantees, 
starting from ->Pj(X), that the game will either always stay in ^P^ n ->Hi(X) 
(after the 1st step) or has a positive probability of visiting ^X eventually. □ 

Proposition 3.7 (Completeness of W). (^> =1 (ALi OOP*) Q W. 

Proof. Let c G (A) -1 /\ j DOP;, and u be a strategy ensuring /\ ■ D<>Pi with 
probability 1 from c. Consider P = [d G Con/ | 3t : P CT , r (c |= 0<f) > 0}, 
i.e., the set of configurations that can be visited under strategy a. Obviously 
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c € E. Furthermore, for any d € E and any B-stratcgy r, P cr '. T (rf |= DE) = 1 
holds, where a' is a suffix strategy of a after d is visited, that is, a' behaves 
from d like a would after some prefix ending in d. Since furthermore P a > yT (d \= 
/\ i DQRi) = 1 by assumption, we deduce in particular P CT <, r (d \= Q()Ri) = 1 
for any i = l,...,r. Hence E C Hi(E) for any i by Lemma 13.61 and thus 
E C Hi r (E). Finally E is a post-fixpoint of i?i, r , and is thus included in its 
greatest fixpoint. We conclude that c € vX.H\ tr (X) = W. □ 

The loop is closed, and Theorem 13.21 proven, with the following lattice- 
theoretical reasoning: 

Lemma 3.8. W C W. 

Proof. Recall that VF = uX.H hr (X), so that VF = H hr (W). Similarly, using 
Eq. ©, we deduce H 1>r (W) = (\ Hi(W) = f].(W H Pref(W, R, U W)), hence 
H\^ r (W) C i-'re®(W / , Conf) by monotonicity of Pre® in its second argument. 
Combining these two points gives W — H\^ r {W) C Pre®(7?i ir (l / F), Conf), hence 
W is a post-fixpoint of X H Pre®{H\ tT {X), Conf) and is included in its greatest 
fixpoint W. □ 

4 Stochastic games on lossy channel systems 

Theorem 13.21 entails the decidability of generalized Biichi games on channel sys- 
tems with probabilistic message losses, or PLCS's. This is obtained by applying 
a generic and powerful "finite-time convergence theorem" for fixpoints defined 
on WQO's. 

4.1 Channel systems with guards 

A channel system is a tuple S = (Q,C, M, A) consisting of a finite set Q = 
{q, g', . . .} of locations, a finite set C = {chi, . . . , ch^} of channels, a finite mes- 
sage alphabet M = {a, b, . . .} and a finite set A = {6, . . .} of transition rules. 
Each transition rule has the form (q,g, op,q'), written q q', where g is a 
guard (see below), and op is an operation of one of the following three forms: 
ch!a (sending message a € M along channel ch G C), ch?a (receiving message a 
from channel ch), or y/ (an internal action to some process, no I/O-operation). 

Let S be a channel system as above. A configuration of S is a pair c = (g, w) 
where q is a location of S and w : C — > M* is a mapping, that describes the 

current channel contents, and we write Conf s = f Q x M* c . 

A guard is a predicate on channel contents used to constrain the firability of 
rules. In this paper, a guard is a tuple g = (L\, . . . , L^j € Reg(M)l c l of regular 
languages, one for each channel. For a configuration c = (q,w\, . . . ,Wd), we 
write c \= g, and say that c respects g, when Wi € Li for all i = 1, . . . , d. 

Rules give rise to transitions in the operational semantics. Let S = (q± , g, op,q2) 
be a rule in A and let c = (q,w), c' = (q',w') be two configurations of S. We 

write cAc', and say that S is enabled in c, if q = qi, q' = q%, c\= g, and w' is 
the valuation obtained from w by applying op. Formally w' = w if op = \J , and 
otherwise if op = chja (resp. if op = chj?a) then w[ — lOj.a (resp. a.w^ = Wi) 
and w'j = Wj for all j ^ i. 
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For simplicity, we assume in the rest of the paper that S denotes a fixed 
channel system S — (Q, C, M, A) that has no deadlock configurations, i.e., every 
c e Conf s has an enabled rule: this is no loss of generality since it is easy 
(when guards are allowed) to add rules going to a new sink location exactly in 
configurations where none of the original rules is enabled. 

Remark (About guards). Allowing guards in transition rules is useful (e.g., 
for expressing priorities) but departs from the standard models of channel sys- 
tems \29$ . Indeed, testing the whole contents of a fifo channel is not a real- 
istic feature when modeling distributed asynchronous systems. However, (un- 
reliable ) channel systems are now seen more broadly as a fundamental compu- 
tational model with algorithmic applications beyond distributed protocols: see, 
e.g., \26l [5J 1 1 1[ \14V - In such settings, simple guards have been considered and 
proved useful: see, e.g., fl^\ [TR 

Using additional control states and messages, it is sometimes possible to 
simulate guards in (lossy) channel systems. We note that the known simulations 
only preserve nondeterministic reachability, not game-theoretical properties in 
stochastic environments. □ 



4.2 Probabilistic message losses 

PLCS's are channel systems where messages can be lost (following some prob- 
abilistic model) while they are in the channels [301 [TU1 HI [Tl I32 j . In this paper, 
we shall consider two kinds of unreliability caused by a stochastic environment: 
message losses on one hand, and combinations of message losses and duplications 
on the other hand. 

Message losses are traditionally modeled via the subword relation: given 
two words u,v € M*, we write u C v when u is a subword, i.e., a scattered 
subsequence, of v. For two configurations c = (q,w) and d = (q' ',«/), we let 

c C d ^ [q = q' and Wi C w[ for all i = 1, . . . , d]. In other words, c C d when 
c is the result of removing some messages (possible none) at arbitrary places in 
the channel contents for d. 

Message duplications are modeled by a rational transduction 7dup Q M* x M* 
over sequences of messages, where every single message a € M is replaced by 
either a or aa. We write u ^Mup v when (u, v) £ 7d U p and we extend to 

configurations with (q, w) ^dup (<?', w') 4=> [q = q' and Wi rMup w[ for all 
i = 1 , . . . , d] . 

For PLCS's with only message losses, we write c ~^ d when c □ d (4=> d C c). 
For PLCS's with losses and duplications, c d means that c ^du P c" □ d for 
some c". 

In PLCS's, message perturbations are probabilistic events. Formally, we 
associate a distribution D env (c) € Dist(Conf s ) with every configuration c € 
Conf s and we say that "D env (c, d) is the probability that c becomes d by 
message losses and duplications (in one step)" . Given D env and a partition 
Conf s — Conf A U Conf B , the channel system S with probabilistic losses defines a 
stochastic arena Gs — (Conf s , A, P) where the moves available to the players are 
exactly the rules of S, and the probabilistic transition function P is formalized 
by: for every c £ Conf s and S enabled in c, P(c, S) = f D env (d) where c A d . 

The qualitative properties that we are interested in do not depend on the 
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exact choices made for D env . In this paper, we only require that D env is well- 
behaved, i.e., satisfies the following two properties: 

Compatibility with nondeterministic semantics: D env (c)(c') > iff c ^* 

c'. 

Decisiveness: The arena Gs is decisive. 

A now standard choice for D env in PLCS's models message losses (and dupli- 
cations) as independent events. One assumes that at every step, each individual 
message can be lost with a fixed probability A <G (0, 1), duplicated with a fixed 
probability A' £ [0, 1) (and remains unperturbed with probability 1 — A — A'). 
This is the so-called local- fault model from [31 [3H 133], and it gives rise to a 
well-behaved D env when only message losses are considered, i.e., when A' = 0, 
or when losses are more probable than duplications, i.e., when < A' < A. 
In particular, the set F = f {(q, e, . . . , e) | q £ Q} of configurations with empty 
channels is a finite attractor in (Js, which entails decisiveness [3], The interested 
reader can find in [31 sections 5&6] some detailed computations of D env (c)(c') 
in the local- fault model, but s/he must be warned that the qualitative outcomes 
on PLCS's do not depend on these values as long as D env is well-behaved. 

4.3 Regular model-checking of channel systems 

Regular model-checking |12l 125] is a symbolic verification technique where one 
computes infinite but regular sets of configurations using representations from 
automata theory or from constraint solving. 

Definition 4.1. A (regular) region of S is a set R C Confg of configurations 
that can be written under the form R — {J ieI {qi} x L\ x • • • x Lf with a finite 
index set I, and where, for i £ I, q.i is some location £ Q, and each L\ for 
j = 1, . . . ,d is a regular language G Reg(M). 

Let 1Z C 2 Con fe denote the set of all regions of S. A monotonic operator / is 
regularity-preserving, if f{R\, ■ ■ ■ , R n ) £ TZ when R\, . . . , R n £ 1Z. A regularity- 
preserving / is effective if a representation for f(R\, ■ ■ . , R n ) can be computed 
uniformly from representations for the R^s (and from S). For example, the set- 
theoretical U are regularity-preserving and effective. While not a monotonic 
operator, complementation is regularity-preserving and effective. Hence the 
dual / of any / is regularity-preserving and effective when / is. 

For the verification of (lossy) channel systems in general, and the resolution 
of games in particular, some useful operators are the unary pre-images Pres[S] 
for 6 £ A, and the upward- and downward-closures C-j- and Cj,, defined with 

Pre s [S](U) d = {c G Confg \ 3c' £ U : c A c'} , C t (U) d = {c G Conf s \ 3c' G U : c' C c} , 
Pre s (U) d ^ [j SeA Pre s [S](U) , C X {U) d ^ {c £ Conf s \ 3c' £ U : c C c'} . 

Observe that Pres[S] and Pres are pre-images for steps of channel systems with- 
out/before message perturbations, while Cf and are pre- and post-images 
for the message-losing relation. and Cj, are closure operators. Their duals 

are interior operators: K±(U) A = C^(U) and K^(U) = f C^U) are the largest 
downward-closed and, resp., upward-closed, subsets of U . Finally, we are also 
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interested in pre-images for rMup: we write T du p(U) for {c | 3c' € U : c ^Mup c '}- 
We remark that T^Con/s) = CW/ S , and that T d ^(C t U) = (^(^(GfU)) = 
Cf7^~p(J7), i.e., the definition of c c' is not sensitive to the order of pertur- 
bations. 

Fact 4.2. Pres[S], Pres, Cfj CTj,, 7^"* and their duals are regularity-preserving 
and effective (monotonic) operators. 

When using effective regularity-preserving operators, one can evaluate any 
closed Lfj, term that does not include fixpoints. For a closed U = /j,X.(p(X), 
or V = vX.tp(X), term with a single fixpoint, any approximant Uk and Vk for 
a finite k £ N can be evaluated but there is no guarantee that the fixpoint is 
reached in finite time, or that the fixpoint is a regular region. However, for 
fixpoints over a WQO like Conf s , there exists a generic finite-time convergence 
theorem. 

Definition 4.3 (Guarded L M terms). 1. A variable Z is upward-guarded in an 
term ip if every occurrence of Z in if is under the scope of an upward- closure 
C-\ or upward-interior K-\ operator. 

2. It is downward-guarded in ip if all its occurrences in tp are under the scope 
of a downward-closure Cj, or downward-interior K\. operator. 

3. A term ip is guarded if every least fixpoint subterm fiZ.tp of ip has Z upward- 
guarded in ip, and every greatest fixpoint subterm uZ.ip has Z downward- guarded 
in ip. 

Theorem 4.4 (Effective & regularity-preserving fixpoints). Any guarded 
term tp(X%, . . . ,X n ) built with regularity-preserving and effective operators de- 
notes a regularity-preserving and effective n-ary operator. Furthermore the de- 
notation of a closed term can be evaluated by computing its approximants which 
are guaranteed to converge after finitely many steps. 

Theorem 14.41 is a special case of the main result of [8] (see also [22]) where 
it is stated for arbitrary well-quasi-ordered sets (WQO's) and a generic notion 
of "effective regions". We recall that, by Higman's lemma, (Conf s ,Q) is a 
well- quasi- ordered set, i.e., a quasi-ordered set — C is reflexive and transitive — 
such that every infinite sequence cq, c\, C2, . . . contains an increasing subsequence 
c% E Cj (with i < j). 

4.4 Stochastic games on lossy channel systems 

In the context of section T4.2I and the decisive stochastic arena Qs, we can re- 
formulate the Pre operator used in Section [3] as a regularity-preserving and 
effective operator. 

When we only consider message losses, Pre[8](X) = Pres[S\(C^X) (thanks 
to the assumption that D env is compatible with the nondeterministic seman- 
tics). If also duplications are considered, then Pre [5] (X) = PresfflifT^iCfX)) . 
In order to deal uniformly with the two cases we shall let 7dup be the iden- 
tity relation when duplications are not considered. By duality Pre[S](X) = 
PresiSKKiX^liX)) and the derived operators satisfy Pre 3 (X, Y) = Pre q (K±X, C t Y), 
Pre w (X, Y) = Pre* {K^X^Y) and Pref{X,Y) = Pre$(K±X,CfY). Thus 
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Theorem 13.21 rewrites: 

r r r 

(A) =1 f\ nORi = vX. f| Hi(X) = vX.Pref (k x f| H^X), Conf s ) , (4) 

i— 1 2—1 i—1 

with Hi{X) d = fiZ.X n Pref{K i X : C- t {R l U Z)). Observe how the closure 
properties of Pre® let us easily rewrite W into a guarded term. The same 
technique does not apply to the simpler term W and this explains why we 
developed two characterizations of the winning set in Section [21 However, in 
the case where r = 1, the characterization with W can be simplified in W\ and 
Theorem 13.21 yields the following guarded term for stochastic Biichi games on 
lossy channel systems: (A) =1 D<)i?i = vX.[j,Z.Pref(K±X,C t (Ri U Z)). 

bmce Hi(X) and (A)~ A[=i have guarded L M expressions, the follow- 

ing decidability result is an immediate application of Theorem 14.41 to Eq. 

Theorem 4.5 (Decidability of Generalized Biichi games with probability 1). 
In stochastic games on lossy channel system S with regular arena partition 
Conf s — Conf A U Conf B and for regular goal regions R\, . . . , R r , the winning 
set (A}= 1 /\ r i=i nORi is a regular region that can be computed uniformly from 
S and R\ , . . . , R r . 

Furthermore, the winning strategies have simple finite representations. One 
first computes the regular region W (— W). Then for each rule S £ A, and each 

i = 1, . . . , r, one computes Vf d = Conf A n Pre s [S] (K^W H C t (R t U H t (W))), 
these are again regular regions. The strategy Ui for Alice is then "when in , 
choose S" and the strategy aw is just a combination of the ct^'s using finite 
memory and testing when we are in the R^s. 

On complexity. Theorem 14.41 does not only show that W — (A) -1 /\. 0()Ri 
is computable from S and R±, . . . ,R r - It also shows that W is obtained by 
computing the sequence of approximants (Wk)ken — given by Wq = Conf s 
and Wk+i = Pre®(KiHi 7r (Wk), Conf s ) — until the sequence stabilizes, which 
is guaranteed to eventually occur. Furthermore, computing Hi, r (Wk), i.e., 
r)i=i Hi(Wk), involves r fixpoint computations that can use the same technique: 
sequences of approximants guaranteed to converge in finite time by Theorem l4.4l 

There now exist generic upper bounds on the convergence time of such se- 
quences, see |33j . In our case, they entail that the above symbolic algorithm 
computing the regular region (A)~ (A[ = i OORi) runs in time (0(n)), where 
n is the size of a description of S, R\, . . . , R r , and where is the first function 
in the extended Grzegorczyck hierarchy that is not multiply-recursive (a kind 
of "Hyper- Ackermann" function). 

This bound is optimal: deciding whether c £ (^4) _1 (A[=i 0()Ri) is F^-hard 
since this generalizes reachability questions (in lossy channel systems) that are 
F^-hard Q3]. 

Corollary 4.6. Deciding whether c £ (A}~ 1 (/\^ =1 \3(}Ri) for given S, c, R\, 
. . . , R r is F^u, -complete. 

5 Concluding remarks 

We gave a simple fixpoint characterization of winning sets and winning strategies 
for 2-player stochastic games where a generalized Biichi objective should be 
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satisfied almost-surely. The characterization is correct for any countable decisive 
arena. 

Such hxpoint characterizations lead to symbolic model-checking and sym- 
bolic strategy-synthesizing algorithms for infinite-state systems and programs. 
The main issue here is the finite-time convergence of the fixpoint computations. 
For well-quasi-ordered sets, one can use generic results showing the finite-time 
convergence of so-called "guarded" fixpoint expressions as we demonstrated by 
showing the decidability of generalized Biichi games on probabilistic lossy chan- 
nel systems, a well-quasi-ordered model that induces decisive arenas. 

We believe Theorem 14.41 has more general applications for games, stochastic 
or not, on well-quasi-ordered infinite-state systems. We would like to mention 
quantitative objectives as an interesting direction for future works (see [3"2l |3"6"] ). 
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A Proof of Equation page [6] 



Section [3] relies on the following Lemma for simplifying the characterization of 
winning sets for simple Buchi objectives: 

Lemma A.l (Contractive fixpoint). For any binary (monotonic) operator 
f,vX.tiY.Xnf(X,Y)=vX.tiY.f(X,Y). 

This is a purely algebraic and lattice-theoretical result that is not specific to 
stochastic games or channel systems. We include its proof here for the sake of 
completeness. 

We start with a simpler lemma: let ft be a unary (monotonic) operator. 

Lemma A.2. Assume U = fj,Y.h{Y) and V D U. Then /jY.V D h(Y) = U. 

Proof. Write W for fiY.Vn h{Y). Now V C\h{Y) C h(Y) entails f iY.Vnh(Y) C 
pY.h(Y), i.e., W C U, by monotonicity. 

For the other inclusion, we consider the approximants (U a ) a eOrd of U and 
show, by induction over a, that U a C W for all a, which is sufficient since 

u = [J a u a . 

The base case a = is clear since Uq — 0. For the inductive case a = f3 + 1, 
one has J7 Q = f h(Up). From Up C W (the ind. hyp.) we deduce ^(f/p) C /i(W). 
From t^CC/ and ft(fj) = C/, we deduce /i(C^) C ft(E7) = f7 C V. Thus C/ Q C 
V n h(W) = W. Now for a limit C/ A , we obtain U X <ZW from [7 A = U^<a Up 
and the ind. hyp. □ 

We may now prove Lemma lA.ll Write g(X,Y) for X n f(X,Y) and let 

17 d = vX.^Y.f{X,Y) and V d = vX.fj,Y.g(X, Y). From ff(X,F) C /(X,y) we 
derive V C [/ by monotonicity. 

For the reverse inclusion, let (V^) a gOii be the approximants of V. We claim 
that they satisfy the following inclusions and equalities: 

liY.f(V a ,Y)CV a , (iYf(V a ,Y) = V a+1 , UCV a , (P Q , P^, P^) 

Note that (P' a ) entails (P Q ) since V ai C V a2 when ot\ > a-z. Reciprocally (Pq,) 
entails (P' Q ) since assuming (P Q ) and applying Lemma IAT21 on h(Y) = f f(V a , Y) 
gives fiY.f(V a ,Y) = \xY.V a n f(V a ,Y) = fjY.g(V a ,Y), which is the definition 
of V a +i. Therefore it is sufficient to prove (P Q ) and (P^), which we do by 
induction over a. 

For the base case, (Po) and (Pq) are clear since Vq = Conf . 

For the successor case a = /3 + 1, we start with /j,Y.f(V a ,Y) C [iY.f(Vp, Y) 
— by monotonicity, since V a C Vp — and combine with the ind. hyp. (P^), i.e., 
/j,Y.f(Vp,Y) = V a , to obtain (P Q ). For (P£), we use the ind. hyp. U C Vp from 
which we deduce fJ,Y.f(U, Y) C fiY.f{Vp, Y), i.e., t7 C V Q , since f7 = /iY./(J7, Y) 
by definition of [7, and V a = fjY.f(Vp,Y) is the ind. hyp. (P«). 

For the limit case a = A, one obtains (P'l) directly from the ind. hyp. and 
the definition V x = C\p<x Vp. For (P A ), we know fj,Y.f(V\,Y) C fiY.f(Vp, Y) for 
all < X since V\ C V£. Hence ^-/(Vx.^) C D^ <A M^-/(^, ^) C D/xa^ 
(by ind. hyp.) = V\. 

Finally, since (P'a) holds for all a and since V = f] a V a , we deduce U C V. 
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